Apple has pushed emergency security updates for iPhone and iPad after fixing a Notification Services vulnerability that could leave deleted notifications stored on a device longer than expected — a flaw that may have exposed content from encrypted messaging apps such as Signal.

Out-of-band update

The bug, tracked as CVE-2026-28950, was patched on April 22 in iOS 26.4.2 and iPadOS 26.4.2, as well as iOS 18.7.8 and iPadOS 18.7.8. In its security bulletin, Apple said only that “notifications marked for deletion could be unexpectedly retained on the device,” and noted the issue was fixed through improved data redaction.

Apple did not say whether the flaw had been exploited in attacks, why it was handled outside the company’s normal update cycle, or how long notification data could remain accessible. The company also did not describe how the retained data might be recovered.

The timing of the fix comes after reporting from 404 Media described a case in which the FBI recovered Signal messages from a suspect’s iPhone even after they had been deleted in the app. According to trial notes published by supporters of the defendants, the messages were not pulled from Signal’s encrypted message store. Instead, they were recovered from iPhone notification storage, where incoming notifications had allegedly been preserved in internal memory even after Signal was removed.

Apple’s advisory does not mention that case, but its description of notifications remaining on the device closely matches the type of persistence described in the report.

Signal later thanked Apple for acting quickly. “We’re grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue. It takes an ecosystem to preserve the fundamental human right to private communication,” the company said in a public statement.

Users are being urged to install the latest updates as soon as possible. Signal also says users can reduce the chance of message content being stored in iOS notification data by changing Signal Settings > Notifications > Notification content to “Name Only” or “No Name or Content.”

BleepingComputer said it contacted Apple for comment but had not yet received a response.

Sources:

bleepingcomputer.com